[ad_1]
One of the biggest attacks on the digital supply chain this year was launched by a little-known company that redirected large numbers of internet users to a network of fake gambling sites, according to security researchers.
Earlier this year, a company called FUNNULL Purchased Polyfill.ioa domain that hosts an open source JavaScript library that – if embedded in websites – could allow older browsers to run features found in newer browsers. Once under control of Polyfill.io, FUNNULL used the domain to essentially carry out a supply chain attack, As cybersecurity firm Sansec reported in Junewhere FUNNULL took over a legitimate service and abused access to it Potentially millions of websites To push malware to their visitors.
At the time of Polyfill.io’s acquisition, he was the original author of Polyfill He warned that he never owned the Polyfill.io domain The suggested websites completely remove the hosted Polyfill code to avoid risks. Also, CDN providers Cloudflare and Fastly have put together their own mirrors of Polyfill.io to offer a secure and reliable alternative for websites that want to continue using the Polyfill library.
It is unclear what the exact target of the supply chain attack was, but Willem de Groot, founder of Sunsec, said He wrote on X at the time It appears to be a “laughingly bad” attempt at monetization.
Now, security researchers at Silent Push say they have mapped a network of thousands of Chinese gambling sites and linked it to FUNNULL and the Polyfill.io supply chain attack.
According to the researchers’ reportwhich was previously shared with TechCrunch, FUNNULL was using its access to Polyfill.io to Malware injection and redirection Website visitors to that malicious network of online casino and gambling sites.
“It seems likely that this ‘online gambling network’ is just a front,” Zach Edwards, a senior threat analyst and one of the researchers who worked on the Silent Push report, told TechCrunch. Edwards added that FUNNULL “operates what appears to be one of the largest online gambling rings on the Internet.”
Those looking for silent payment He said in their report They identified around 40,000 mostly Chinese-language websites hosted by FUNNULL, all with similar-looking domains that were likely automatically generated and made up of a scattering of seemingly random letters and numbers. These sites appear to impersonate online gambling and casino brands, including Sands, a casino group that owns Venetian Macau, Grand Lisboa in Macau, and SunCity Group; In addition to the online gambling portals Bet365 and Bwin.
Chris Alfred, a spokesperson for Entain, Bwin’s parent company, told TechCrunch that the company “can confirm that this is not a domain we own, so it appears that the site owner is infringing on our Bwin trademark, so we will take action to resolve the issue.” this.”
Sands, SunCity Group, Macau Grand Lisboa and Bet365 did not respond to multiple requests for comment.
Edwards told TechCrunch that he and his colleagues found a FUNNULL developer’s GitHub account, which discussed “money moving,” an expression they believe refers to money laundering. The GitHub page also contained links to Telegram channels that included references to gambling brands impersonated in the spam network, as well as talk of transferring funds.
“And these sites are all intended to move money, or that is their primary purpose,” Edwards said.
The network is hosted by suspicious websites, according to Edwards and his colleagues FUNNULL content delivery networkor CDN, whose website Claims To be “Made in the USA” but the listings Several office addresses In Canada, Malaysia, the Philippines, Singapore, Switzerland, and the United States, all of which appear to be places with no real-world addresses listed.
On his profile on HUIDU, the center of the gambling industry, FUNNULL He says It has “more than 30 data centers on the continent,” likely referring to mainland China, and has a “high-security automated server room in China.”
For a virtual technology company, FUNNULL makes it difficult to reach its representatives. TechCrunch made efforts to contact the company for comment and ask it questions about its role in the apparent supply chain attack, but did not receive any responses to our inquiries.
FUNNULL lists on its website an email address that does not exist; A phone number that the company claims is on WhatsApp, but cannot be reached; The same number on WeChat appears to be owned by a woman in Taiwan with no affiliation with FUNNULL; A Skype account that did not respond to our requests for comment; The Telegram account identifies itself only as “Sara,” and has the FUNNULL logo as its avatar.
“We don’t understand what you said,” Sarah responded on Telegram to a request for comment — sent by TechCrunch in Chinese and English — containing a series of questions for this article, and stopped answering. TechCrunch was also able to identify a series of valid email addresses owned by FUNNULL, none of which responded to requests for comment.
A company called ACB Group claimed to own FUNNULL Archived copy from its official websiteHe is offline now. The ACB group could not be reached by TechCrunch.
With access to millions of websites, FUNNULL could launch more dangerous attacks, such as installing ransomware, Malware wiperor SpywareAgainst unwanted website visitors. These types of supply chain attacks are becoming increasingly possible because the web is now a complex global network of websites that are often built using third-party tools, controlled by third parties, and which can sometimes turn out to be malicious.
This time, the goal was apparently to monetize a network of spam sites. Next time, it could be much worse.
[ad_2]